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(57) Abstract: An adaptive multi-tier 
authentication system provides 
secondary tiers of authentication 
which are used only when the user 
attempts a connection from a new 
environment. The invention accepts 
user input such as login attempts and 
responses to the system's questions. 
User login information such as IP 
address, originating phone number, 
or cookies on the user's machine are 
obtained for evaluation. User/usage 
profiles are kept for each user and the 
user login information is compared to 
the information from the user/usage 
profile for the specific user which 
contains all of the user information 
that the user used to establish the 
account and also the usage profile 
detailing the user's access patterns. 
The mast level of the current user 
login location is calculated and the 
invention determines if any additional 
questions to the user are required. If 
the trust level is high, then the user 
is granted access to the system. If the 
trust level is not high enough, then 
questions are sent to the user and the 

user's answers are evaluated and access is granted or denied based on the trust level and answers. The user's profile is updated to 
reflect the access attempt. 
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Adaptive Multi-Tier Authentication System 



5 

BACKGROUND OF THE INVENTION! 



TECHNICAL FIELD 

10 

The invention relates to user access in a computer environment. More 
particularly, the invention relates to adapting a secure user login from different 
originating clients in a computer environment. 

15 

DESCRIPTION OF THE PRIOR ART 

Users commonly have their passwords compromised (lost or stolen). Attackers 
can typically use the stolen usemame/password to impersonate a user from a 
20 remote site. This compromises the service that the attackers infiltrate, which is 
costly to the service providers. 

Most companies allow users access to an Intranet with very little authentication 
(/.&, a minor password). This is an extreme case where the company knows* 
25 where the user is coming from; the access point of the user is in an expected 
area {e.g., inside the company building). When a user accesses a company's 
Intranet from an unexpected area {e.g., from home), users must use a secure ID 
(i.e. a major password) to access the first level. 

30 Other mechanisms used to identify people such as biometrics (thumb prints, 
retinal scanners, etc.) are very expensive and hardware intensive. These type 
of approaches are difficult to install and use. They are also impractical when 
applied to the Internet. 

35 The most common solution to avoiding vulnerability to password theft is to 
require that key material be carried to each authentication environment. 
Sometimes the key material is stored in a smart card, sometimes it is carried in a 
floppy (perhaps containing private keys). Either method is typically not user 
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friendly and tend to suffer problems with the loss or the non-password material 
(or the user forgetting to carry the material). 

It would be advantageous to provide an adaptive multi-tier authentication 
5 system that automatically adapts to the user's login patterns. It would further b e 
advantageous to provide an adaptive multi-tier authentication system that does 
not require additional hardware from the service provider. 

10 SUMMARY OF THE INVENTION 

The invention provides an adaptive multi-tier authentication system. The 
system automatically adapts to the user's login patterns. In addition, the 
invention does not require additional hardware from the service provider by 
1 5 using a query-based security system. 

A preferred embodiment of the invention provides secondary tiers of 
authentication which are used only when the user attempts a connection from a 
new environment. The invention accepts user input such as login attempts and 
20 responses to the system's questions. 

User login information such as IP address, originating phone number, or cookies 
on the user's machine are obtained for evaluation. User/usage profiles are kept 
for each user. 

25 

The user login, information is compared to the information from the user/usage 
profile for the specific user. The user/usage profile contains all of the user 
information that the user used to establish the account and also the usage profile 
detailing the user's access patterns. 

30 

The trust level of the current user login location is calculated and the invention 
determines if any additional questions to the user are required. If the trust level is 
high, then the user is granted access to the system. If the trust level is not high 
enough, then questions are sent to the user. The user's answers are evaluated 
35 and access is granted or denied based on the trust level and answers. The 
user's profile is updated to reflect the access attempt. 
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Other aspects and advantages of the invention win oecome apparent trom tne 
following detailed description in combination with the accompanying drawings, 
illustrating, by way of example, the principles of the invention. 

5 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block schematic diagram of a user remote access scenario according to 
the invention; 

10 

Fig. 2 is a block schematic diagram of a multiple access point example according 
to the invention; and 

Fig. 3 is a block schematic diagram of a task viewpoint of the invention according 
15 to the invention. 

DETAILED DESCRIPTION OF THE INVENTION 

The invention is embodied in an adaptive multi-tier authentication system in a 
20 computer environment. A system aocording to the invention automatically 
adapts to the user's login patterns. In addition, the invention provides a system 
that does not require additional hardware from the service provider by using a 
query-based security system. 

25 Users commonly have their passwords compromised (lost or stolen). Attackers 
can typically use the stolen username/password to impersonate a user from a 
remote site. This compromises the service that the attackers infiltrate, which is 
costly to the service providers. The invention makes this type of impersonation 
more difficult by providing secondary tiers of authentication which are used 

30 ONLY when the user attempts a connection from a new environment (i.e., from 
a new computer, kiosk, etc.). 

Referring to Fig. 1 , a simple user interface scenario is shown. The user 1 01 logs 
onto the server 102. The server retrieves the user's stored use profile 103. 
35 The location where the user 101 is accessing the server is checked against the 
user's profile to determine a trust level for the session. The server 102 
determines if any additional security measures must be taken based on the trust 
level. 
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A preferred embodiment of the invention analyzes the user's use of a service 
and typical access points to augment the trust level of each access point. If the 
user is always dialing in from home to access a service such as AOL, the 
invention observes the pattern and, after a while, determines that the trust level 
5 is high when the user accesses the service from home. At that point, the 
invention will allow immediate login inb the service without asking for any 
additional information. 



When the user suddenly goes travelling and accesses the service on the road, 
10 then the user's trust level is downgraded and more authentication questions are 
asked before allowing access. For example, the service may tell the user "We 
are surprised to see you dialing in from California. We just need to do a little 
extra background check on your identity. How many dogs did you tell us that 
you have? What are their names?" 

15 

With respect to Fig. 2, the user may be a salesperson and travels to different 
cities. This user's patterns may be random at best because his access points 
are all across the country 201 , 202, 203. The server 204 takes this into account 
and determines that this is the user's normal pattern. The server 204 records this 
20 fact in the user's profile 205. 



However, if the user logs in to the server 204 at one location 201 and then 
another user logs in using the same identity at another location 203, the server 
204 will immediately downgrade the trust level of the second location and ask 
25 more authentication questions. This also applies to the situation when a user 
logs in the United States, for example, and a similar login occurs in Japan five 
hours later. The invention knows that the time frame is improbable. 

The invention automates the process of tracking information such as IP 
30 addresses, where the user dialed in from, and the access times. A profile of the 
combination of data is used to as a basis to determine the level of trust. For 
example, the invention uses the following criteria to adapt authentication for a 
system: 



35 • Where the user is dialing in from (e.g., phone number). 

• Type of machine being used (e.g., Mac or PC). 

• Operating system on the machine. 

• Cookies/tags that are on the machine. 

• IP address (e.g., same IP address or same subnet). 

4 
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When a user logs on, some distinct aspect of the computer is recorded. In the 
typical case, a random token is written into memory, or onto the disk of the client 
computer. Logon proceeds as usual ONLY if the existing token is located on 
5 the computer used for the login (e.g., an identifying cookie would be used on a 
per-computer basis for HTTP transactions). When the element that is used to 
identify the computer does not match the user's "standard list of computers 
used" then some secondary questions are asked as described above {e.g., 
"What is your birthday?", "What is your home phone number?") before 
1 0 completing the authentication. 

The system adapts and learns new sites that the user logs in from, and then 
proceeds to use the minimal username/password from those sites only. Other 
techniques could be used to identify the logon environment as listed above {i.e., 
15 IP address or dial in line), but the creation of a unique mark (file, cookie, etc.) 
ensures verification of the environment. 

The user is not burdened with having to carry anything with him that could to be 
lost or stolen (e.g., smart cards). This approach is analogous to traditional human 
20 identification systems, where, when the user is known, then additional proof of ID 
is not requested. 

The user immediately knows when something is wrong when the invention 
suddenly asks for more information than usual. For example, if the user logs in 
25 from home, which is a normal situation, and the system asks for more information 
than normal, such as the user's dog's name. The unusual request would be an 
indicator to the user that something may be wrong, prompting the user to call into 
customer support to get more information. 

30 Referring to Fig. 3, the User Access Control module 301 accepts user input 
such as login attempts and responses to the system's questions. The User 
Access Control module 301 has the responsibility to search and check for 
information such as IP address, originating phone number, or cookies on the 
user's machine. The Evaluate User Patterns module 302 takes the information 

35 obtained from the User Access Control module 301 and compares it to the 
usage information from the user/usage profile 303 for the specific user. The 
user/usage profile contains all of the user information that the user used to 
establish the account and also the usage profile detailing the user's access 
patterns. 
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The trust level of the current user login location is calculated and the Evaluate 
User Patterns module 302 determines if any additional questions to the user are 
required. Questions are sent through the User Access Control module 301 to 
5 the user. The user's answers are relayed from the User Access Control module 

301 back to the Evaluate User Patterns module 302. The Evaluate User 
Patterns module 302 grants or denies access based on the trust level and 
answers for any questions that it asked. The Evaluate User Patterns module 

302 updates the user/usage profile 303 for the user with the information just 
1 0 obtained. 

Although the invention is described herein with reference to the preferred 
embodiment, one skilled in the art will readily appreciate that other applications 
may be substituted for those set forth herein without departing from the spirit 
15 and scope of the present invention. Accordingly, the invention should only be 
limited by the Claims included below. 
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CLAIMS 

1. A process for an adaptive secure access system in a computer 
5 environment, comprising the steps of: 

receiving user input; 

accessing information related to a user login request; 
said user login information includes, but is not limited to where the user is 
dialing in from, the type of machine being used, the operating system on said 
1 0 machine, cookies/tags that are on said machine, and IP address; 
providing a plurality of user/usage profiles; 

said profiles includes information relating to user login patterns, user 
personal information, and trust levels for access locations; 

comparing said user login information to the information from the 
1 5 user/usage profile for the specific user; 

determining a trust level for the current user login location; and 
updating the user/usage profile for the user. 

2. The process of Claim 1 , wherein said determining step recognizes and 
20 identifies user login patterns. 

3. The process of Claim 1 , further comprising the step of: 

installing a cookie/tag onto the machine that the user is logging in from. 

25 4. The process of Claim 1 , wherein if said trust level is low, then issuing 
questions to the user relating to the user's personal information. 

5. The process of Claim 4, wherein if said questions are answered correctly, 
then granting access to the user. 

30 

6. The process of Claim 4, wherein if said questions are answered 
incorrectly, then denying access to the user. 

7. The process of Claim 1 , wherein if said trust level is high, then granting 
35 access to the user. 

8. An apparatus for an adaptive secure access system in a computer 
environment, comprising: 

7 
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a module for receiving user input; 

a module for accessing information related to a user login request; 
said user login information includes, but is not limited to where the user is 
dialing in from, the type of machine being used, the operating system on said 
5 machine, cookies/tags that are on said machine, and IP address; 
a plurality of user/usage profiles; 

said profiles includes information relating to user login patterns, user 
personal information, and trust levels for access locations; 

a module for comparing said user login information to the information from 
1 0 the user/usage profile for the specific user; 

a module for determining a trust level for the current user login location; 

and 

a module for updating the user/usage profile for the user. 

15 9. The apparatus of Claim 8, wherein said determining module recognizes 
and identifies user login patterns. 

1 0. The apparatus of Claim 8, further comprising: 

a module for installing a cookie/tag onto the machine that the user is 
20 logging in from. 

1 1 . The apparatus of Claim 8, wherein if said trust level is low, then issuing 
questions to the user relating to the user's personal information. 

25 12. The apparatus of Claim 11, wherein if said questions are answered 
correctly, then granting access to the user. 

13. The apparatus of Claim 11, wherein if said questions are answered 
incorrectly, then denying access to the user. 

30 

14. The apparatus of Claim 8, wherein if said trust level is high, then granting 
access to the user. 

15. A program storage medium readable by a computer, tangibly 
35 embodying a program of instructions executable by the computer to perform 

method steps for an adaptive secure access system in a computer 
environment, comprising the steps of: 
receiving user input; 

accessing information related to a user login request; 

8 
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said user login information includes, but is not limited to where the user is 
dialing in from, the type of machine being used, the operating system on said 
machine, cookies/tags that are on said machine, and IP address; 

providing a plurality of user/usage profiles; 
5 said profiles includes information relating to user login patterns, user 

personal information, and trust levels for access locations; 

comparing said user login information to the information from the 
user/usage profile for the specific user; 

determining a trust level for the current user login location; and 
1 0 updating the user/usage profile for the user. 

16. The method of Claim 15, wherein said determining step recognizes and 
identifies user login patterns. 

15 17. The method of Claim 1 5, further comprising the step of: 

installing a cookie/tag onto the machine that the user is logging in from. 

18. The method of Claim 15, wherein if said trust level is low, then issuing 
questions to the user relating to the user's personal information. 

20 

19. The method of Claim 18, wherein if said questions are answered 
correctly, then granting access to the user. 

20. The method of Claim 18, wherein if said questions are answered 
25 incorrectly, then denying access to the user. 

21. The method of Claim 15, wherein if said trust level is high, then granting 
access to the user. 
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